Protect your Identities with Azure AD Identity Protection (part 1)

By Ashwin Venugopal -

 


To read part 2 please click here


What is Azure Active Directory Identity Protection?

Identity Protection is a solution built into Azure AD that's designed to protect your identities through a three-part process by helping you to automatically detect, remediate, and investigate the identity-based risks for your organization without hiring expensive security experts. 

What are risks?

Risks can be known as a suspicious activity and actions by the users when they sign in, or when they take actions after signing in. Hence, the risks are categorized into two ways- as user risks and sign-in risks.

User Risk

A user risk is caused when a user's identity or account is compromised and can include:

Risk

Description

Unusual behavior

The account showed unusual activity or the patterns of usage are similar to those patterns that the Microsoft systems and experts have identified as attacks.

Leaked credentials

The user’s credentials could have been leaked. For example the Microsoft might have found a list of the leaked credentials on the dark web, which could affect your user account.  


 Sign-in Risk

In this one, Identity Protection scrutinizes each authentication request to judge whether it was authorized by the owner of the identity. Sign-in risks includes:

Risk

Description

Unfamiliar sign-in properties

Identity Protection remembers and learns a particular user’s sign-in history. For example when a sign-in occurs from a location that’s unusual for the user, a risk detection is triggered.   

Atypical travel

For example, when two or more sign-ins occurs from distant locations in an unrealistically short time period, a risk detection is raised.

Malware-linked IP address

For example, if the IP address where the sign-in originates is known to have been in contact with an active bot server,  risk detection is raised.

Anonymous IP address

For example, a sign-in originates from an anonymous IP address. As these details can be used by the attackers to hide their real IP address or location, a risk detection is raised.

 

Detect risks with Azure AD Identity Protection policies

Risk policies helps your organization to respond more appropriately to identity risk while allowing you to respond to risks rapidly and your company can easily leverage risk policies, as well as avoid hiring external contractors to handle identity-based risks.

Different types of risk policies are available based on the type of identity risk and you can also use a sign-in risk policy or a user risk policy. 

Sign-in risk policy

A sign-in risk policy scrutinizes every sign-in, and gives it a risk score which indicates the probability that the sign-in was attempted by the person whose credentials are used. According to the risk level, you can choose whether to allow access, automatically block, or allow access only after additional requirements are met while also using a form to configure a sign-in risk policy in the Azure portal and specify the settings such as:

  • The users this policy should target.
  • The conditions that must be met, such as how high a score triggers a policy.
  • How you want to respond.

You should confirm that the users are already registered for Azure AD Multi-Factor Authentication before you apply for this policy and after a sign-in risk is identified, the user is asked to take action to remediate the risk as well as also told what triggered the risk, and what they need to provide to resolve the issue.

User risk policy

Here, the Identity Protection automatically learns the user's normal behavioral patterns and then uses this knowledge to calculate the likely risk that the user's identity was compromised which helps the admin to decide whether to allow access, to block it, or  to allow access only after the additional requirements are met. 

You can easily specify the settings like the users this policy should target, the conditions that must be met, and how you'll respond while making sure that the users are already registered for the self-service password reset before you apply this policy and after a user risk is identified, the user is asked to take action to remediate that risk while also knowing what triggered the risk, and what they need to provide to resolve the issue.

 

To read part 2 please click here










Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more